Roles & Responsibilities
The Governance, Risk, and Compliance Manager is responsible for developing, implementing and maintaining the State's coordinated security compliance and privacy program that promotes the identification and protection of personal identifying or otherwise confidential information within state systems in accordance with Statewide Policies and Standards. The position of Chief Privacy and Compliance Officer also acts as the state's HIPAA coordinator. This position supports the State Chief Information Security Officer and Deputy State CISO and contributes to the direction and overall strategy of Statewide Information Security for the State of Arizona.
- K0001: Knowledge of computer networking concepts and protocols, and network security methodologies.
- K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
- K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
- S0176: Skill in administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing procedures.
- S0354: Skill in creating policies that reflect the business’s core cybersecurity and privacy objectives.
- S0355: Skill in reviewing vendor agreements and evaluating vendor cybersecurity and privacy practices. Ability to serve as a senior member of a team and can form, manage and lead teams or units of varying skills
- A0024: Ability to develop clear directions and instructional materials.
- A0033: Ability to develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.
- A0034: Ability to develop, update, and/or maintain standard operating procedures (SOPs).
- A0104: Ability to select the appropriate implant to achieve operational goals.
- Develop, implement, maintain, and lead the State's Information Security Compliance program which promotes and ensures the adherence of State budget units and service providers to Statewide Information Security Policies, Standards, Procedures, and applicable regulatory requirements.
- This includes reviewing budget units policies, standards, PIJ and RFP submissions, and security assurance plans as necessary.
- Work with legal counsel, procurement, and budget unit representation to ensure both existing and new services comply with security requirements and regulations Develop, implement, maintain, and lead the State's coordinated Privacy Program that promotes the protection of personal identifying information and other confidential information collected, used, and maintained by the state and its agencies for business operations.
- Work with legal counsel, procurement, and budget unit representation to ensure both existing and new services comply with privacy requirements and regulations Develop, implement, and lead the State's coordinated Vulnerability Management Program. Assist budget units with identifying vulnerabilities, and associated information security and privacy protection risks and provide direction on risk mitigation strategies, methods, and procedures for the State.
- Develop, implement, and lead the coordinated statewide Security Awareness Training Program in collaboration with training teams, HR, and other divisions and budget units as required. Monitor and report compliance of each State budget unit with the Statewide Information Security and Privacy Protection Policies and Standards in coordination with the Office of the Auditor General.
- Act as the HIPAA coordinator for the State, and coordinates breach notifications resulting from major data breaches within the State, including but not limited to the annual required reporting to HHS.
Bachelor’s degree and 8 years of extensive technical experience in Information Security Systems (or equivalent experience). Professional certifications in Information Security and Networking Systems (hardware and software) are highly desirable, as well as an in-depth knowledge and understanding of specific information information protection standards (NIST, HIPAA, PCI, IRS, etc. as appropriate